[Request] Watermark in 8.1

Discussion in 'Windows 8' started by heldigard, Sep 18, 2013.

  1. heldigard

    heldigard MDL Junior Member

    Jan 9, 2010
    59
    41,593
    0
    #1 heldigard, Sep 18, 2013
    Last edited by a moderator: Apr 20, 2017
    Well I want ask help to the good expert programming guys that visit this forum for find a way to get out the activation watermark. I was wasting time checking the file: twinui.dll and twinui.appcore.dll. I am a newbie is hex edition and dll injection and dll hook. But this is the results of wasting time looking the way for take off the watermark until the others smart guys find the key for kms v6 protocol.

    Twinui.dll some imports in IDA:

    Code:
    
    api-ms-win-core-winrt-string-l1-1-0.dll: 
    __declspec(dllimport) __stdcall WindowsCreateString(x, x, x)
    __declspec(dllimport) __stdcall WindowsGetStringLen(x)
    __declspec(dllimport) __stdcall WindowsGetStringRawBuffer(x, x)
    __declspec(dllimport) __stdcall WindowsIsStringEmpty(x)
    __declspec(dllimport) __stdcall WindowsGetStringLen(x)
    __declspec(dllimport) __stdcall WindowsCreateStringReference(x, x, x, x)
    
    UxTheme.dll:
    __declspec(dllimport) __stdcall BeginBufferedPaint(x, x, x, x, x)
    HRESULT __stdcall GetThemeColor(HTHEME hTheme, int iPartId, int iStateId, int iPropId, COLORREF *pColor)
    __declspec(dllimport) __stdcall EndBufferedPaint(x, x)
    HTHEME __stdcall OpenThemeData(HWND hwnd, LPCWSTR pszClassList)
    __declspec(dllimport) __stdcall DrawThemeTextEx(x, x, x, x, x, x, x, x, x)
    __declspec(dllimport) __stdcall BufferedPaintInit()
    __declspec(dllimport) __stdcall GetThemeTimingFunction(x, x, x, x, x)
    
    DUI70.dll:
    __declspec(dllimport) public: virtual void __thiscall DirectUI::RichText::Paint(struct HDC__ *, struct tagRECT const *, struct tagRECT const *, struct tagRECT *, struct tagRECT *)
    
    api-ms-win-core-winrt-l1-1-0.dll:
    __declspec(dllimport) __stdcall RoGetActivationFactory(x, x, x)
    __declspec(dllimport) __stdcall RoActivateInstance(x, x
    
    api-ms-win-core-sysinfo-l1-2-1.dll:
    void __stdcall GetSystemInfo(LPSYSTEM_INFO lpSystemInfo)
    __declspec(dllimport) __stdcall GetTickCount64()
    DWORD __stdcall GetTickCount()
    
    

    Twinui.appcore.dll some imports in IDA:

    Code:
    ext-ms-win-ntuser-misc-l1-2-0.dll:
    BOOL __stdcall KillTimer(HWND hWnd, UINT_PTR uIDEvent)
    
    api-ms-win-core-processthreads-l1-1-2.dll:
    BOOL __stdcall GetProcessTimes(HANDLE hProcess, LPFILETIME lpCreationTime, LPFILETIME lpExitTime, LPFILETIME lpKernelTime, LPFILETIME lpUserTime)
    
    api-ms-win-security-base-l1-2-0.dll:
    BOOL __stdcall GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
    

    Twinui.dll some exports in IDA:
    Code:
    HRESULT __stdcall DllCanUnloadNow()
    HRESULT __stdcall DllGetActivationFactory(HSTRING__ *activatableClassId, IActivationFactory **factory)
    
    

    Function DllGetActivationFactory in W32Dasm and HexView for Twinui.dll (x86):
    Code:
    Exported fn(): DllGetActivationFactory - Ord:0002h
    :10040205 8BFF                    mov edi, edi
    :10040207 55                      push ebp
    :10040208 8BEC                    mov ebp, esp
    :1004020A E8FE930400              call 1008960D
    :1004020F 8BC8                    mov ecx, eax
    :10040211 5D                      pop ebp
    :10040212 90                      nop
    :10040213 90                      nop
    :10040214 90                      nop
    :10040215 90                      nop
    :10040216 90                      nop
    :10040217 8BFF                    mov edi, edi
    :10040219 55                      push ebp
    :1004021A 8BEC                    mov ebp, esp
    :1004021C 83EC38                  sub esp, 00000038
    :1004021F A190E14110              mov eax, dword ptr [1041E190]
    :10040224 33C5                    xor eax, ebp
    :10040226 8945FC                  mov dword ptr [ebp-04], eax
    :10040229 53                      push ebx
    :1004022A 8B5D0C                  mov ebx, dword ptr [ebp+0C]
    :1004022D 56                      push esi
    :1004022E 8B7508                  mov esi, dword ptr [ebp+08]
    :10040231 57                      push edi
    :10040232 832300                  and dword ptr [ebx], 00000000
    :10040235 8BF9                    mov edi, ecx
    :10040237 56                      push esi
    :10040238 FF1538D04110            call dword ptr [1041D038] //WindowsIsStringEmpty
    :1004023E 85C0                    test eax, eax
    :10040240 0F8508AC1E00            jne 1022AE4E
    :10040246 8D45C8                  lea eax, dword ptr [ebp-38]
    :10040249 50                      push eax
    :1004024A 56                      push esi
    :1004024B FF1530D04110            call dword ptr [1041D030] //WindowsStringHasEmbeddedN
    :10040251 85C0                    test eax, eax
    :10040253 0F88F5AB1E00            js 1022AE4E
    :10040259 837DC801                cmp dword ptr [ebp-38], 00000001
    :1004025D 0F84EBAB1E00            je 1022AE4E
    :10040263 6A00                    push 00000000
    :10040265 56                      push esi
    :10040266 FF1524D04110            call dword ptr [1041D024] //WindowsGetStringRawBuffer
    :1004026C 8B0F                    mov ecx, dword ptr [edi]
    :1004026E 57                      push edi
    :1004026F 8945CC                  mov dword ptr [ebp-34], eax
    :10040272 FF5114                  call [ecx+14]
    :10040275 8B0F                    mov ecx, dword ptr [edi]
    :10040277 57                      push edi
    :10040278 8D7004                  lea esi, dword ptr [eax+04]
    :1004027B FF5118                  call [ecx+18]
    :1004027E 8945D0                  mov dword ptr [ebp-30], eax
    
    

    I tried changing the function DllGetActivationFactory to "90" : nop and still nothing happend. Same function are in: Twinui.appcore.dll and Windows.UI.Xaml.dll.

    Also I tried to change the UxTheme.dll and no lucky. So any ideas meanwhile somebody else is working in kms emulator would be great.
     
  2. endbase

    endbase MDL Guru

    Aug 12, 2012
    3,779
    1,088
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. endbase

    endbase MDL Guru

    Aug 12, 2012
    3,779
    1,088
    120
    Ow ok bad reading on my side :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. woot332

    woot332 MDL Senior Member

    Feb 18, 2011
    390
    808
    10
    imo its not worth the effort anyways have fun playing with the M$ bits.:p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. muiz

    muiz MDL Member

    Dec 8, 2007
    144
    21
    10
    #6 muiz, Sep 19, 2013
    Last edited by a moderator: Apr 20, 2017
    There is also this:

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Activation]
    "ActivationInterval"=dword:000dbba0
    "Manual"=dword:00000001
    "NotificationDisabled"=dword:00000001
     
  6. Belarathon

    Belarathon MDL Senior Member

    Nov 21, 2007
    316
    37
    10
    #7 Belarathon, Sep 19, 2013
    Last edited by a moderator: Apr 20, 2017

    Seriously? That works?
     
  7. Gmas79

    Gmas79 MDL Novice

    Jan 16, 2012
    26
    10
    0
    For my test VHD boot Windows 8.1 Enterprise x64 i used ru-board member stea's evaluation activator. Just to rid off activation nag text it is working fine.
    Removed build number watermark using My WCP Watermark Editor. Store, Update everything working.
     
  8. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
    #9 Smorgan, Sep 19, 2013
    Last edited: Sep 19, 2013
    Hmmm the Activate windows watermark.

    The watermark itself is tied with sppsvc. Hang on a sec I need to check my notes...

    (goes through notes)...

    Damn my notes on this are not complete for the shell side. However the Twinui.dll has nothing to do with the activation side your looking for. Twinui.dll reports to the Metro side directly in order to pass information from the main activation dlls to the Systemsettings.exe which shows the Activation in the Metro Menu. In other words your not looking in the right spot.

    The Activation Watermark is actually tied to the SPPSVC as windows adds that mark from that service and not the explorer.exe or twinui.dll for that matter.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
    Well to be more precise twinui.dll links to the systemsettings.exe which is the metro side for the activation.

    This inherently links to the SLC.dll passing on information to sppsvc.exe. (this is deep stuff) The watermark has two sides to it. One is the version and evaluation information the other is the service that runs on top of that which is the sppsvc.exe that links up with everything to make the activation system run coherently. This system makes up more then 2 dozen files (if not more) on the system and even runs in the kernel with a few files linking to it (I got bored). In an advisory context I would not look to bypass the activation watermark. I would simply try to look for a way to remove all the activation messages and spoof it. The information provided here is not circumstantial as I have notes regarding this.

    Your not thinking big enough. The activation is a multi file system that runs through a momentous amount of files. If you want to see what it runs through simply look at the import export table. You are correct regarding the UXtheme.dll as it has a SLC call that runs through the import table though ;)

    That being said if I need to write down notes with the amount of information IDA normally provides then its for good reason you should look at the big picture. :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. woot332

    woot332 MDL Senior Member

    Feb 18, 2011
    390
    808
    10
    Why would anyone hack activate their os to patch some watermarks?.
    In Windows 8.0 all that was need was to patch shell32.dll and twinui.dll to remove all watermarks thats what I did.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,755
    1,962
    210
    I think, in terms of activation you could not compare Windows 8 with Windows 8.1, there to many differences between those two versions!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
    #13 Smorgan, Sep 30, 2013
    Last edited: Sep 30, 2013
    Actually when I started looking at Windows 8.1 I just took out my Windows 8 notes and started.

    The differences are not even that great.

    The general point is that you'd have better luck cracking windows than removing the watermark.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. dummekuehe

    dummekuehe MDL Senior Member

    Jan 11, 2009
    460
    100
    10
    you say it is not related to explorer.exe
    but when you close explorer.exe the activate watermark disappears
     
  14. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
    The explorer portion of the activation was removed following the development of Windows 8. However if its not in explorer.exe its in one of the dependencies of the OS such as the case with uxtheme.dll. Also it takes freaking forever to Reverse Engineer Windows licensing because of the amount of files. I have no doubt that somehow the watermark is tied with the slc.dll but I can't directly connect the dots.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #16 KNARZ, Sep 30, 2013
    Last edited by a moderator: Apr 20, 2017
    We just need a way to edit this proteced key
    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductPolicy
    while in addition running sppsvc (for updates). And all problems are gone.

    With http://forums.mydigitallife.net/threads/39411-Windows-Product-Policy-Editor you can edit the license-state in any way, but updates which contain 'xrm-ms' files (spp\tokens) will fail as the updates try to install license with disabled sppsvc which will fail.
    So you can also 'fake' activation state if you type the exact data into the value. With 8.1 they added some entries i don't understand (yet) but they seem not to effect the system (in my vm).

    All Windows features, activation, timebombs and so on are all bound and used to this reg-key which will be refreshed by sppsvc over tokens.dat once in a while.

    I would be interessted in the thread from this korean guy and his slchook.dll, but i didn't find anything usefull.

    There are many ways to trick the system, but the registry-key seems so far the easiest way.
    I also have a proof of concept driver for win8 to manipulate kernel-protected processes.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
    #17 Smorgan, Sep 30, 2013
    Last edited by a moderator: Apr 20, 2017
    That is inherently false. Sorry I don't normally go out of my way to say this but the activation is not tied with the tokens.dat exclusively. The registry keys, services, dlls etc merely keep the activation state refreshing while it continues to look at the tokens.dat. However as a whole the timebombs, windows features, activation, etc is also tied with the kernel licensing. Even if you manage to get a fake activation state there is no inference that can be made that the kernel will accept those changes and say o I'm activated now?

    If you do more research on this its pretty apparent to find out in the long run. I personally do not understand the mind set of people looking exclusively at the tokens.dat as it misses the whole masterpiece which is the windows licensing.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    #18 KNARZ, Sep 30, 2013
    Last edited: Sep 30, 2013
    sppsvc checks the tokens and data (and mayboe some more - not completly aware of bullet-proof knowledge from my side) and writes your license informations in this reg-value! the kernel-license IS this reg-value. With disabled sppsvc and edited reg-key i can still run w8 without any complains (except updates that contain xrm-ms files) - you can edit all license informations as you want it and can e.g. enable LOB and so on.
    all querys from applications and so on belong to this long value. the reg-data is generated by the tokens.dat and gets freshed over time. thats pretty much a fact as i'm running multiple vm's for testing purposes exclusively to this issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    872
    457
    30
    And it is more or less all about tokens.dat if there would be a patched sppsvc which excepts xrm-ms files without checking the hashes you could pretty easy create some xrm-ms file which will activate your system completly offline. Windows Embedded 7 e.g. has complete offline activation. It may would be possible to extract the activation infos within the Sku file with Win8 SKU files with adapted license-ids and so on. there are many ways possible but as i said the reg-key would be the easiest way i guess.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Smorgan

    Smorgan Glitcher

    Mar 25, 2010
    1,854
    1,034
    60
    #20 Smorgan, Sep 30, 2013
    Last edited: Sep 30, 2013
    That's my point you could edit the tokens.dat or data.dat for that matter and not make any progress. That general presumption of the tokens.dat being the main files for which the sppsvc checks for is flawed. The registry keys merely connect the sppsvc with the xrm-ms files in such a way that if you edit them out it restores them on a reboot. IF it was that easy to bypass the activation it would have been done already. Why make a licensing system which could easily be bypassed in such a manner? The tokens backs up to a secondary location for the sppsvc in case its modified as does the registry. And at the kernel level if you try to mod that you basically BSOD the whole system.

    Again you guys are not thinking big enough. The xrm-ms files and tokens play a big role in the play for the activation system but are not all the pieces in the puzzle. I'm merely going to be a refrence person in this case as my days of having time to crack Windows has come and gone lol. Offline Activation requires input from the activation server inevitably to activate the product as you are trying to reinvent the wheel ;)

    Look for a portion of the activation that is inherently flawed then chip at it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...